← Back to Skills Marketplace

Pipelinegate

Name: Pipelinegate
Author: mirni

by mirni · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install gh-pipelinegate

Description

Chain Green Helix tools into multi-step pipelines. Define a sequence of steps (scan-text, scan-skill, check-scope, validate, diff, check-env, convert) and Pi...

README (SKILL.md)

PipelineGate

Chain multiple tools into a single pipeline call.

Start the server

uvicorn pipelinegate.app:app --port 8011

Run a security pipeline

curl -s -X POST http://localhost:8011/v1/run \
  -H "Content-Type: application/json" \
  -d '{
    "steps": [
      {"tool": "scan-text", "input": {"text": "Check this text"}},
      {"tool": "scan-skill", "input": {"skill_content": "---\
name: test\
---\
Hello"}},
      {"tool": "check-scope", "input": {"skill_content": "---\
name: test\
---\
Hello"}}
    ]
  }' | jq

Returns success (all steps passed), total_steps, completed_steps, and results (output per step).

Available tools

curl -s http://localhost:8011/v1/tools | jq '.tools[] | "\(.name): \(.description)"' -r

Tools: scan-text, scan-skill, check-scope, validate, diff, check-env, convert.

Error handling

By default, the pipeline stops on the first error. Set "stop_on_error": false to continue:

curl -s -X POST http://localhost:8011/v1/run \
  -H "Content-Type: application/json" \
  -d '{"steps": [{"tool": "scan-text", "input": {"text": "hi"}}], "stop_on_error": false}' | jq

Usage Guidance

This skill appears to implement the pipeline functionality it claims, but review these points before installing or exposing it: - Local server and environment probing: The server exposes a /v1/run API that can invoke a 'check-env' step which checks for the existence of supplied environment variable names (it returns which names are present or missing). While it doesn't return secret values, this lets callers probe the host environment. Run the server only on localhost or behind an access control mechanism and avoid exposing it to untrusted networks. - Dependency and install mismatch: SKILL.md requests pip packages (fastapi, uvicorn, pydantic, pyyaml, jsonschema). Registry metadata shows an unusual 'uv' id/kind; confirm your install system maps that to pip. The code also imports internal 'products.*' modules that must exist in your environment; otherwise the service will fail. Review/confirm availability of those product libraries. - Minor functional inconsistencies: The tools registry description claims conversion includes TOML but exec_convert only supports JSON and YAML; the SKILL.md doesn't state the 'check-env' probing explicitly. These are implementation mismatches (likely bugs) — confirm behavior before relying on the tool. - Run safely: If you test it, run in an isolated environment (container or VM) and bind uvicorn to 127.0.0.1. Inspect logs and network exposure. If you need to allow remote access, add authentication or restrict access to trusted hosts. If you want, I can point out the exact lines where environment probing and the JSON/YAML/TOML mismatch occur, or produce a minimal wrapper that starts the server bound to localhost only.

Capability Analysis

Type: OpenClaw Skill Name: gh-pipelinegate Version: 1.0.0 The gh-pipelinegate skill bundle implements a FastAPI-based orchestration engine for running security-related analysis tools in sequence. The code provides functionality for scanning text for injections, validating JSON schemas, diffing content, and checking for the presence of required environment variables or binaries (without leaking their values). The implementation uses safe practices such as yaml.safe_load and limits its environment checks to existence verification, showing no signs of malicious intent, data exfiltration, or unauthorized execution.

Capability Assessment

ℹ Purpose & Capability

Name/description align with the code: this is a local pipeline engine that calls existing 'products.*' detectors and extractors. However, the skill imports several internal product modules (products.promptguard, products.skillscan, products.scopecheck) which are external dependencies not declared in SKILL.md or registry metadata; if those modules are missing the service will fail. Overall capabilities are coherent with the description but rely on internal product libraries.

ℹ Instruction Scope

SKILL.md instructs launching a uvicorn API and POSTing step payloads — consistent with the FastAPI app. The code implements expected tools, but there are subtle scope items: the 'check-env' tool programmatically inspects the host process environment (os.environ) and reports which requested env var names are present/absent; SKILL.md does not explicitly call out that probing behavior. The 'check-scope' tool returns detected filesystem paths and network URLs extracted from provided SKILL.md content (it does not itself read files or access network resources).

ℹ Install Mechanism

SKILL.md metadata shows a pip-style install of common Python packages (fastapi, uvicorn, pydantic, pyyaml, jsonschema). Registry install shows an id/kind 'uv' which is unusual but the SKILL.md itself lists pip packages. Installing via pip from PyPI is expected for a Python web app (moderate risk) but requires network access and will write packages to disk. No arbitrary URL downloads or extract-from-unknown-host signs were observed.

⚠ Credentials

The skill declares no required env vars, yet the code can inspect os.environ when you invoke the 'check-env' tool and will report which requested variable names are present. That lets callers probe whether specific environment variables exist on the host (it does not return variable values, only presence). Because the service opens an HTTP API, if that API is reachable by others it could be used to remotely probe which env names exist on the host. This capability is functionally related to a 'check-env' tool but represents a potential information-leak risk and should be documented and constrained.

✓ Persistence & Privilege

The skill does not request persistent/autoload privileges (always:false). It does not modify other skills' configs or system-wide settings. It runs as a local web server when started by the user; its runtime privileges are the privileges of the user running the process.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install gh-pipelinegate
After installation, invoke the skill by name or use /gh-pipelinegate
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of gh-pipelinegate. - Enables chaining of Green Helix tools into configurable pipelines. - Supports step sequencing, with options to stop on error or continue on failure. - REST API to run pipelines and list available tools. - Tools supported: scan-text, scan-skill, check-scope, validate, diff, check-env, convert. - Returns detailed results for each pipeline step.

Metadata

Slug gh-pipelinegate

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Pipelinegate?

Chain Green Helix tools into multi-step pipelines. Define a sequence of steps (scan-text, scan-skill, check-scope, validate, diff, check-env, convert) and Pi... It is an AI Agent Skill for Claude Code / OpenClaw, with 80 downloads so far.

How do I install Pipelinegate?

Run "/install gh-pipelinegate" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Pipelinegate free?

Yes, Pipelinegate is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Pipelinegate support?

Pipelinegate is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Pipelinegate?

It is built and maintained by mirni (@mirni); the current version is v1.0.0.

More Skills